// Copyright 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // https://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // This class should be used in the client code, in a place where sandboxing // should be engaged. #ifndef SANDBOXED_API_SANDBOX2_CLIENT_H_ #define SANDBOXED_API_SANDBOX2_CLIENT_H_ #include #include #include #include #include "absl/container/flat_hash_map.h" #include "absl/status/status.h" #include "sandboxed_api/sandbox2/comms.h" #include "sandboxed_api/sandbox2/logsink.h" #include "sandboxed_api/sandbox2/network_proxy/client.h" namespace sandbox2 { class Client { public: // Client is ready to be sandboxed. static constexpr uint32_t kClient2SandboxReady = 0x0A0B0C01; // Sandbox is ready to monitor the sandboxee. static constexpr uint32_t kSandbox2ClientDone = 0x0A0B0C02; // Sandboxe should setup seccomp_unotify and send back the FD. static constexpr uint32_t kSandbox2ClientUnotify = 0x0A0B0C03; explicit Client(Comms* comms); Client(const Client&) = delete; Client& operator=(const Client&) = delete; // Receives a sandbox policy over the comms channel and enables sandboxing. // Using this method allows to have a sandbox-aware sandboxee perform complex // initialization first and then enable sandboxing for actual processing. void SandboxMeHere(); // Returns the file descriptor that was mapped to the sandboxee using // IPC::ReceiveFd(name). int GetMappedFD(const std::string& name); bool HasMappedFD(const std::string& name); // Registers a LogSink that forwards all logs to the supervisor. void SendLogsToSupervisor(); // Returns the network proxy client and starts it if this function is called // for the first time. NetworkProxyClient* GetNetworkProxyClient(); // Redirects the connect() syscall to the ConnectHandler() method in // the NetworkProxyClient class. absl::Status InstallNetworkProxyHandler(); protected: // Comms used for synchronization with the monitor, not owned by the object. Comms* comms_; private: static constexpr const char* kFDMapEnvVar = "SB2_FD_MAPPINGS"; friend class ForkServer; // Seccomp-bpf policy received from the monitor. std::vector policy_; // LogSink that forwards all log messages to the supervisor. std::unique_ptr logsink_; // NetworkProxyClient that forwards network connection requests to the // supervisor. std::unique_ptr proxy_client_; // In the pre-execve case, the sandboxee has to pass the information about // file descriptors to the new process. We set an environment variable for // this case that is parsed in the Client constructor if present. absl::flat_hash_map fd_map_; std::string GetFdMapEnvVar() const; // Sets up communication channels with the sandbox. // preserved_fd contains file descriptor that should be kept open and alive. // The FD number might be changed if needed. // preserved_fd can be a nullptr. void SetUpIPC(int* preserved_fd); // Sets up the current working directory. void SetUpCwd(); // Receives seccomp-bpf policy from the monitor. void ReceivePolicy(); // Applies sandbox-bpf policy, have limits applied on us, and become ptrace'd. void ApplyPolicyAndBecomeTracee(); void PrepareEnvironment(int* preserved_fd = nullptr); void EnableSandbox(); }; } // namespace sandbox2 #endif // SANDBOXED_API_SANDBOX2_CLIENT_H_